Skip to main content

Outsourcing Notification Obligations for Investment Firms: Key Considerations

The notification obligation for outsourcing at securities institutions is a central element of supervisory control and transparency. According to Section 40 of the WpIG in conjunction with Delegated Regulation (EU) 2017/565, you, as a securities institution, are obliged to notify certain outsourcing arrangements to the BaFin and the Deutsche Bundesbank.

✨ 1. What Is a Material Outsourcing?

Outsourcing is considered material if a failure in execution could significantly impair compliance with legal requirements, financial performance, or the continuity of services.

Not considered material are, for example:

  • Staff training,

  • Consulting,

  • Simple IT services,

  • Cleaning or security services.

The decisive factor is always the individual risk assessment.


✍️ 2. Your Duties as a Securities Institution

a) Risk Management & Outsourcing Register

You must implement an effective risk management system that identifies and assesses outsourcing risks.

A comprehensive outsourcing register must be maintained – including both material and non-material outsourcing.

b) Notification and Reporting Obligations

You must report:

  • Intention to enter into a material outsourcing,

  • Execution of a material outsourcing,

  • Material changes,

  • Serious incidents.

When and how to notify?

  • Via the BaFin MVP portal

  • Using web form, XML upload or web service


📄 3. Requirements for Outsourcing Agreements

A good contract is essential:

  • A legal representative in Germany must be named for outsourcing to third countries.

  • Clearly defined rights and obligations such as:

    • Right to issue instructions

    • Rights to information and audit

    • Termination rights

    • Provisions for data protection and retention


⚠️ 4. Supervisory Powers of BaFin

BaFin may intervene when:

  • Proper service delivery is at risk,

  • Risks are not adequately managed,

  • Audit rights are restricted.

BaFin can issue instructions to you and the service provider.


🚨 5. Other Organisational Requirements

You remain fully responsible! Therefore, you need:

  • Ongoing monitoring of the service provider

  • Contingency plans and exit strategies

  • Regular risk analyses and reviews


📝 6. Overview of Notification Obligations

Reportable Event Timing of Notification Reporting Channel
Intention of material outsourcing Before implementation BaFin MVP Portal
Execution of the outsourcing Immediately after contract execution BaFin MVP Portal
Material change After the change has occurred BaFin MVP Portal
Serious incident Immediately upon becoming aware MVP Portal / Excel Form

🌐 7. Special Requirements for Third Countries

If outsourcing to third countries:

  • Cooperation agreements with local supervisory authorities may be required

  • German legal representative must be designated

  • Data protection and access controls must be documented


📊 8. Content of Notification According to WpI-AnzV § 13

Your notification must contain detailed information, including:

  • Reference number, contract term, termination periods

  • Processes involved, data categories, cloud models and locations

  • Materiality assessment, risk evaluation, budget

  • Sub-outsourcers, substitutability, contingency planning

In the case of material changes, many of these details must be resubmitted.


🚫 9. What Constitutes a Serious Incident?

Examples include:

  • IT outages that disrupt service delivery for extended periods

  • Legal violations, especially breaches of data protection laws

  • Lack of cooperation with supervisory authorities

  • Reputational damage or looming insolvency of the provider

In such cases, you must inform the authorities immediately.


🔹 Conclusion: What You Must Consider

  • Only material outsourcing arrangements are subject to notification

  • Use the BaFin MVP Portal for all reports

  • Maintain a complete outsourcing register with up-to-date risk assessments

  • Draft precise contracts, especially for third-country outsourcing

  • Plan for emergencies and exit scenarios

  • Ensure all documentation is audit-ready and respond promptly to BaFin inquiries